Forum Topic: logs showing tons of //RK=0/RS= as 404’s

Forum: .htaccess Forum : Security • Posted by gardenho • Updated:

The last week I’ve seen hundreds of requests in the error logs that result in 404 errors.

The request is like this:

http://example.com//RK=0/RS=GtmE7AxqEX62h_UpcF4GTapIZHQ-

with everything after the last = seemingly random letters & numbers ending with the -.

Googling came up with very little info other than 1 mention on stackoverflow and one other site where they mentioned seeing the same thing pop up recently (since Feb) but puzzled over what they are after.

I just purchased your book Jeff, in hopes I’ll come up with something to stop this and various other attempts because they are absolutely killing my bandwidth every month and my limit is already huge! It’s becoming a full time job going over logs to keep these freaks out – I know the basics with htaccess so I’m hoping to learn lots yet. Thanks for making some tips available free on your web site otherwise I may have never discovered the book!

3 Replies to “logs showing tons of //RK=0/RS= as 404’s”

Posted by Jeff Starr

That looks like the work of automated scripts probing for vulnerabilities. Stopping them can be tricky, depending on the patterns revealed in the log files. If all requests, for example, include the string, “RK=0”, then adding this slice of .htaccess should block them:

RedirectMatch 403 RK=0

This will simply block any matching request with a 403 Forbidden error :)

Posted by gardenho •

Thank you, they do all include the string I put in the topic header. It is definitely automated based on hundreds of them in the log files.

I am building my master .htaccess as I go through your book. I’ll give this redirectmatch a try and see if tomorrow the log is empty of their requests.

Posted by gardenho •

I used this:

RedirectMatch 403 RK=0/RS=

and today all kinds of joy when not one line in the error log showed this morning ;)

Implemented a few other RedirectMatch strings as well and wow, what a diff in the speed on the site already. Thanks!